Distributed Networks Institute
EXMO Exchange Hot Wallets Compromised: Approximately $10.5 Million Stolen
Summary
On December 21, 2020, the attackers gained unauthorized access to the EXMO exchange’s hot wallets. Through these security weaknesses, they managed to execute malicious transactions, resulting in the theft of a substantial amount of cryptocurrency.
Attackers
The identities of the attackers remain undisclosed. The following addresses were involved:
- 1A4PXZE5j8v7UuapYckq6fSegmY5i8uUyq
- 0x4BA6B2fF35055aF5406923406442cD3aB29F50Ce
- qrfrw5q9gag2vp6jc5nlx0haplm2jlhx9vsvxd9u3e
- t1StUQiw1YyHT515xDxwxjfhEcw2iGSq2yL
- rwU8rAiE2eyEPz3sikfbHuqCuiAtdXqa2v Destination Tag: 2033412069
- 0x4d9EF6846126Da2867AF503448be0508542C971e
Losses
The EXMO security breach resulted in the theft of around $10.5 million. The stolen funds are distributed as follows:
- 306.98 BTC
- 1,882.6 BCH
- 867 ETH
- 20,651 ETC
- 476,521 XRP
- 39,285 ZEC
- 50,000 USDT
Timeline
- December 26, 2017: Pavel Lerner, EXMO’s lead analyst, was kidnapped in Kyiv. EXMO spokesman Anatoliy Larin commented:
We are doing everything possible to speed up the search for Pavel Lerner. Despite the situation the exchange is working as usual. We also want to stress that nature of Pavel’s job at Exmo doesn’t assume access either to storages or any personal data of users. All users’ funds are absolutely safe.
- December 28, 2017: EXMO experienced a targeted DDoS attack, temporarily shutting down its website.
- December 29, 2017: Pavel Lerner was freed after a $1 million ransom was paid, with no physical harm inflicted on him.
- December 21, 2020, 02:27 AM UTC: Hackers gained access to EXMO’s hot wallets and transferred the funds under their control.
- September 8, 2021: EXMO published a postmortem, mentioning that issues have been resolved.
Security Failure Causes
Private Key Compromise: The breach of EXMO’s hot wallets resulted from a private key compromise. Hackers most likely exploited vulnerabilities in the exchange’s infrastructure, gaining access to private keys.